ALTERYX INSPIRE | Join us this May for for a multi-day virtual analytics + data science experience like no other! Register Now
The Alteryx Community will be temporarily unavailable for a few hours due to scheduled maintenance starting on Thursday, April 22nd at 5pm MST. Please plan accordingly.

Alteryx Server Knowledge Base

Definitive answers from Server experts.

Error "Access Denied" with SAML - Active Directory Federation Services (ADFS)

SethBachman
Alteryx
Alteryx
Created

Environment Details


  • Alteryx Server
    • Version 2018.2+
  • Azure SAML 2.0

 

Error "Access Denied in Gallery after enabling SAML Authentication:
There was an error logging into the external provider. The error message is: access_denied




One of the possible causes will be found within the aas.log file on the Alteryx server. You will see the following error:

"Sustainsys.Saml2.Exception.InvalidsignatureException: The signature verified correctly with the key contained in the signature, but that key is not trusted

When SAML Authentication is enabled, the aas.log files will be stored in C:/ProgramData/Alteryx/Logs and will show the authentication attempts for Gallery between the IDP (in this case Azure) and the Alteryx Server. These logs and the particular error will look like the following:

idea Skyscrapers


 

Cause


  • The client is using the Azure App Federation Metadata URL when setting up SAML in the Alteryx Server Settings. Azure SAML configuration can be found here
  • The SAML Library on the Azure environment is not configured correctly to accept the certificate through the Metadata URL. 
  • Azure recognizes the x.509 certificate, but does not trust it because the certificate is not approved. 


Resolution


  1. Setup the Alteryx Server Settings SAML IDP Configuration to use the x509 Certificate and IDP SSO URL
  2. Download the Base64 Certificate manually from Azure (or other IDP) - this can be found in Step 3 SAML Signing Certificaate of the Single Sign On Configuration.
 idea Skyscrapers
  1. In the Alteryx Server Settings, Select the Radio Button for X509 Certificate and IDP SSO URL and enter in the IDP SSO URL and paste the x509 Certificate. The IDP SSO URL is the Azure Login URL. 
  2. Save the Alteryx Settings to confirm, and you are finished! Attempt to login to the gallery. 
idea Skyscrapers
 

Additional Information

  • If the x509 certificate is ever updated on the IDP side, this process will need to be repeated to restore functionality. It would be best to fix the SAML Library so the metadata URL trusts the certificate assigned to the Gallery application. This will need to be done by the Azure Administrator.
  • For more information on how to configure Azure SAML 2.0 please see this page